" hipaa compliance Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘hipaa compliance’

Opt-In Email Encryption is Too Risky for HIPAA Compliance

Tuesday, July 11th, 2017

A majority of companies and hospitals that offer email encryption for HIPAA compliance allow senders to “opt in” to encryption on a message-by-message basis.  E.g., if the sender “does nothing special” then the email will be sent in the normal/insecure manner of email in general.  If the sender explicitly checks a box or adds some special content to the body or subject of the message, then it will be encrypted and HIPAA compliant.

Opt-in encryption is desirable because it is “easy” … end users don’t want any extra work and don’t want encryption requirements to bog them down, especially if many of their messages do not contain PHI.  It is “good for usability” and thus easy to sell.

Cybersecurity opt-in email encryption

However, opt-in encryption is a very bad idea with the inception of the HIPAA Omnibus rule.  Opt-in encryption imposes a large amount of risk on an organization, which grows exponentially with the size of the organization.  Organizations are responsible for the mistakes and lapses of their employees; providing an encryption system where inattention can lead to a breach is something to be very wary of.

Read the rest of this post »

HIPAA-Compliance eBook Series

Wednesday, May 31st, 2017

 

LUXSCI RELEASES FREE HIPAA-COMPLIANCE EBOOK SERIES

New series further explains secure email, texting, websites, web forms and email marketing.

BOSTON, MA – May 30, 2017 – LuxSci (www.luxsci.com), the HIPAA-compliant Internet and Email Security experts, have just released their 3-part eBook series on HIPAA-compliant communications, aimed at healthcare organizations in need of additional information to help them better understand the methods and technologies available for safeguarding their practice and protecting patient privacy.

In the first eBook, “HIPAA-Compliant Email Basics”, LuxSci discusses HIPAA and ePHI, the provisions of the HIPAA email security rule, risk analysis and the need for encryption, and take a closer look at Gmail and Google Apps.

The next eBook, “HIPAA-Compliant Website Basics”, defines what is required from HIPAA-compliant websites, website hosting, and web forms.

The final eBook, “HIPAA-Compliant Bulk Emailing Basics”, is a technical guide to email marketing and outlines best practices for list maintenance, large-scale sending strategies, IP reputation challenges, SPF and DKIM considerations, and HIPAA-compliance specifics.

Erik Kangas, Ph.D. and CEO of LuxSci says, “Online communications technologies are pervasive and they can really help a healthcare organization stay current and engaged.  Understanding the technologies, the risks, and the best practices are the first steps to getting started in a productive, compliant, and profitable direction.  These eBooks provide a great deal of guidance, enabling you to get started quickly.“

To download these free eBooks and find out how LuxSci can help with HIPAA compliance, click here.

If my web site is very simple, do I have to worry about HIPAA compliance?

Friday, March 24th, 2017

We received this questions via Ask Erik from a Physicians’ Association:

“Our company website does not contain any patient information.  As a healthcare group, do we need to worry about HIPAA compliance for our site? It contains forms, news and some company polices and procedures but no patient information whatsoever. Thank you.”

Thank you for your question!  Here, we delve into how you can answer this for your site.

 

Read the rest of this post »

What is the least expensive way I can get my company HIPAA Certified?

Thursday, April 14th, 2016


A common question posed to Ask Erik involves how small organizations can get “HIPAA certified” quickly and with minimal expense.  These questions stem from desperation (people know that they are not compliant), fear (people know that non-compliance is extremely risky in terms of potential fines and bad publicity, not to mention risk to their customers/patients), lack of an understanding of HIPAA (they do not really know what getting “HIPAA certified” means), and lack of resources (time and money are both scarce).  Organizations in this situation know that they need to take steps for compliance ASAP, but they may not know what those steps are and really want to allocate the minimum possible time or money towards them.

What does getting “HIPAA Certified” mean?

The first hurdle is that there is no official, government-sanctioned HIPAA certification program.  So, there is no way to be officially “HIPAA certified” and thus be “all set.”  What you really must do is strive to be HIPAA-compliant in all aspects of your business that deal with Protected Health Information (PHI) and strive to keep up with your changing organization and the changing compliance landscape over time.

So how can I be HIPAA-compliant?

This is an ongoing process, but here are some steps to get started:

Read the rest of this post »

7 Ways You Could be Unknowingly Violating HIPAA

Friday, August 14th, 2015

Non-compliance with HIPAA can easily lead to unintended breaches where data is exposed to unauthorized parties.  This can be very expensive!  The cost of a breach depends on your degree of negligence; it ranges from $100 to $50,000 per violation (or per data record).

You don’t want to be caught in a situation where inaction, neglect, or lack of knowledge can result in unintended breaches.  Many small and large organizations are often unknowingly using systems in a way that is either already in breach or which results in frequent sporadic breaches.

Check your organization!

If any of the following scenarios apply to you, it is worth bringing them up the person responsible for compliance (your HIPAA Security Officer) to include in your mandatory yearly Risk Analysis.  Is the risk of breach worth continuing with “business as usual?”

Read the rest of this post »

Case Study: Securely Email Medical Laboratory Results to Patients

Tuesday, April 7th, 2015

We count medical laboratories among our many customers.  They process lab tests for doctors and send the results to the patients via email.

Medical laboratories, while sometimes not HIPAA covered entities themselves, are Business Associates with Hospitals and doctors who are required to abide by HIPAA.  By the “transitive” nature of the HIPAA privacy laws, such Business Associates must take pains to abide by HIPAA security and privacy standards, protecting patient data, and ensuring confidentiality.

In order to send patients their results via email, these labs must use a HIPAA-complaint system that can send email to anyone with an email address.

This post describes how one large medical lab uses LuxSci’s SecureLine to safely deliver lab results to 1000s people every day.

Read the rest of this post »

Why HIPAA Compliance for many organizations is like Sony Picture’s security policies

Wednesday, December 17th, 2014

Sony Pictures2014 has been a year of turmoil in terms of Internet security.  There have been huge vulnerabilities (e.g. POODLE, SHELLSHOCK, and more) and large scale attacks such as that on the Sands Casino by Iran in February, to the worst one of all, the Sony Pictures Hack.

It is arguable that it is impossible to secure an organization of any significant size from penetration by a determined hacker (or government organization or nation state).   Cases in point: consider the attack on the Sands Casino and recent revelations into extremely sophisticated malware such as reign.  This does not mean that we throw up our hands.

What it does mean is that we need to take security measures seriously, consider them worth the expense, and know that security is a process and not something you “do once.”

What does this have to do with HIPAA Compliance?

The ultimate goal of HIPAA is to protect identifiable patient information.  The scope of HIPAA is extremely broad … from dentists working in their homes, to large hospital chains, to law firms that interact with medical organizations, to web development firms that create sites and software for doctors, etc.  As HIPAA rules, requirements and penalties were rapidly evolving starting with HITECH in 2010 through Omnibus in 2013, affected organizations suddenly had a myriad of technical rules to follow “or else.”

Read the rest of this post »

Google Apps HIPAA Compliance Gotchas: Email encryption not included and higher price

Wednesday, October 8th, 2014

There has been a lot of hype about Google offering a Business Associate Agreement to paid Google Apps customers who must abide by HIPAA regulations.  Those who are familiar with Google may be under the incorrect assumption that simply signing up for Google Apps will solve all their HIPAA compliance challenges.  This seems to be increasingly less likely as of October, 2014.

Myths and hidden costs pervade this equation. If a HIPAA-aspiring entity isn’t fully educated about the finer details of the compliance process, they could end up paying very large amounts of money for Google services and still be non-compliant. Here we discuss some misconceptions about Google services as they apply to HIPAA to help you avoid the pitfalls of non-compliance.

Read the rest of this post »

HIPAA-Compliant Web Sites: Requirements and Best Practices

Thursday, February 27th, 2014

We are approached frequently by webmasters and site designers asking for clarification on or guidelines for using ePHI in web sites that must be HIPAA compliant.

While we have discussed previously what makes a web page secure in general and also what in particular makes a web site HIPAA compliant, it seems that a concise recommendation that spells out what you should and should not do with web sites in shared and dedicated environments would be particularly useful to many.

Read the rest of this post »

HIPAA Compliance is Needed for Emailed Appointment Reminders

Friday, September 20th, 2013

HIPAA ComplianceTwice in the past few weeks I have received appointment reminders or scheduling information from doctors via email — via insecure, non-HIPAA-compliant email.

An email message contains identifying information: my email address and my name.  The appointment email messages also contain information about “the past, present, or future provisioning of health care to an individual” … me!  Taken together, this means that these email messages are ePHI (more details – what is ePHI?) and needed to be secured in a HIPAA compliant manner.

That they were not compliant was obvious to me:

Read the rest of this post »